MOORE v. HIGHPOINT SOLUTIONS, LLC et al

Filing 22

OPINION. Signed by Judge Joseph H. Rodriguez on 6/5/2018. (rtm, )

Download PDF
UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY JACLYN MOORE, Individually and on : Behalf of All Others Similarly Situated, Plaintiff, : v. : HIGHPOINT SOLUTIONS LLC and CHRISTINE M. CUSHMAN, : Defendants. Hon. Joseph H. Rodriguez Civil Action No. 17-6266 OPINION : This matter is before the Court on motion of Defendant Highpoint Solutions LLC (“HighPoint”) to dismiss the Complaint pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6). The Court has considered the submissions of the parties and heard oral argument on May 30, 2018. For the reasons placed on the record that day, as well as those articulated below, the motion will be granted. Background Plaintiff Jaclyn Moore, a HighPoint contract employee since April 2017, has filed a purported Class Action Complaint as the result of a data breach by Defendant Christine M. Cushman, who was HighPoint’s Human Resource Director. 1 On August 7, 2017, the Montgomery County, Pennsylvania District Attorney’s office and certain news outlets announced that Cushman had stolen approximately one million dollars from HighPoint over a two-year period using private financial information HighPoint maintained concerning subcontractors. Specifically, from May 5, 2015 to June 15, 2017, Cushman used this stolen information to issue herself 45 fraudulent checks totaling $919,301. 1 1 The press release provided: NORRISTOWN, Pa. (Aug. 7, 2017)—Montgomery County District Attorney Kevin R. Steele and East Norriton Township Police Chief Karyl J. Kates announce the arrest of Christine Cushman, 31, of Douglassville, Pa., on felony charges of Theft by Unlawful Taking, Receiving Stolen Property and Identity Theft for stealing $919,301 from her employer, HighPoint Solutions LLC, in East Norriton. HighPoint Solutions was alerted to the potential thefts by its payroll company, after a bank officer had noticed suspicious multiple direct deposits of significant size going into the defendant’s personal account. The company’s chief financial officer met with East Norriton Township Detective Anthony Caso on July 4, 2017, about the potential theft. The ensuing investigation revealed that Cushman, who was HighPoint Solutions’ director of human resources, was issuing fraudulent payroll checks in the names of four former subcontractors who no longer did business with the company. Cushman’s responsibilities included preparing and reviewing the payroll information before it was submitted to the outside payroll company. The 45 thefts occurred between May 5, 2015 and June 15, 2017 and totaled $919,301. “Nearly $1 million was stolen from this company by a senior2 On August 8, 2017, HighPoint’s CEO John Seitz emailed HighPoint’s employees concerning Cushman’s actions. The e-mail provided: Colleagues, By now many of you are aware of the press release from the Pennsylvania District Attorney and subsequent articles regarding Christine Cushman, our former HR Manager. HighPoint indeed was the victim of a corporate theft over the past two years. The details are available in numerous online articles—I’ve attached the most thorough one I’ve found below. http://www.readingeagle.com/news/article/amity-townshipwoman-stole-nearly-1-million-from-employer-police-say The purpose of my email is to explain the actions we have taken, as well as inform you of any risks to the company and employees’ personal and financial information. By all evidence we’ve seen, HighPoint was the only victim in this theft, as funds were stolen from our bank account. No client, employee, or subcontractor bank account ever received or had any funds withdrawn. Once informed, we took appropriate remediation steps—including notifying the authorities. We have hired an independent, national audit firm to perform a forensic audit of our financial records and our controls to ensure no further damage has occurred beyond what we’ve found, as well as to help strengthen our financial oversight. Although the amount stolen was indeed significant, I can assure you we are a profitable and financially sound company. level, trusted employee. This breach of trust is something that needs to be guarded against by other companies,” said Steele. “Unfortunately, corporate theft is all too prevalent and requires a system of checks and balances within the corporate system to make sure this doesn’t happen.” (Compl. ¶ 14.) 3 For our employees, as I mentioned, all evidence points to only a HighPoint bank account being involved in this theft. However, please understand that our HR Department does have on file (and Ms. Cushman had access to) all employee Social Security information as well as bank account information for those using direct deposit. At this time, we don’t know if employee personal information was also stolen. Please be on alert for any suspicious activity relating to your personal and financial records. For those customers who ask, please make clear to them that Ms. Cushman did not have access to customer information/invoicing, and we believe there is no risk to customer identity information. We can also assure them that we are a financially sound partner and that we will be filing an insurance claim for this matter. Finally, we are coordinating all activities and communications strictly with the authorities, and I would ask all employees to refrain from participating in any social media discussions relating to this matter. Thank you for your patience and understanding during this process. Sincerely, John Seitz, Chief Executive Officer HighPoint Solutions, LLC (Compl. ¶ 15.) Seitz e-mailed HighPoint’s employees again on August 10, 2017, as follows: As a follow up to my Tuesday email regarding the risk of compromise to our employee information (i.e. the “Cushman matter”), we have purchased a corporate-wide LifeLock identity protection subscription for all employees to help monitor and protect each employee’s individual financial records. We have 4 purchased a 12-month plan that covers each U.S.-based employee, plus spouse and 1 child. Ms. Cushman had no involvement in ex-U.S. payroll processing, so we feel the U.S. focus covers all relevant risk. The corporate subscription will take a few days to activate, and we will be sending sign-up directions once available. In addition, we are communicating the events and our remediation plan to our clients on a case-by-case basis. If you are aware of a customer who has raised concerns about this matter, please direct that inquiry to a HighPoint executive, as we are replying directly to those clients one-on-one. For your benefit, our message to those clients is as follows: • Once aware of the theft, we took immediate action, including notifying local law enforcement authorities • As a $170M revenue company, this theft obviously hurt, but in no way affects our standing as a profitable and financially strong partner. We have also submitted an insurance claim to recover most of the loss • This breach occurred within our HR payroll operations, specific to sub-contractors—separated from our client financial operations that includes timesheet management, project management and invoicing • We have hired a nationally-accredited audit firm to perform a thorough review of our financial controls and to perform a forensic audit of our financial records Thank you for your continued patience as we continue to sort out and resolve this matter. Regards, John Seitz, Chief Executive Officer HighPoint Solutions, LLC (Compl. ¶ 16.) As a result of the data breach, Plaintiff has alleged that Defendants negligently failed: 5 to secure and safeguard her personal identifying information (“PII”), and that of, at least, all of HighPoint’s past and current employees, agents, subcontractors, customers and service providers, as well as their families and dependents (the “Class”). This PII includes, but is not limited to, the: names, Social Security numbers, Taxpayer Identification Numbers, birthdates, addresses, telephone numbers, email addresses, healthcare records, salary and bonus details, contract and agreement details, sensitive employment information such as performance evaluations, disciplinary and employment termination details, severance packages, and/or other personal information concerning HighPoint’s past and current employees, agents, subcontractors, customers and service providers, as well as their families and dependents. HighPoint was also negligent in failing to provide timely and adequate notice to Plaintiff and the Class that their PII had been stolen and precisely what types of information were stolen. (Compl. ¶ 3.) Against HighPoint, the Complaint alleges negligence, intrusion upon seclusion, breach of fiduciary duty, breach of contract, breach of implied contract, violation of the New Jersey Computer Related Offenses Act, and vicarious liability. There is an additional claim for unjust enrichment against Cushman. HighPoint seeks dismissal of the Complaint. Motion to Dismiss Standard Rule 12(b)(1) of the Federal Rules of Civil Procedure permits the dismissal of an action for “lack of subject matter jurisdiction.” “A motion to dismiss for want of standing is also properly brought pursuant to Rule 12(b)(1), because standing is a jurisdictional matter.” Ballentine v. United States, 486 F.3d 806, 810 (3d Cir. 2007). “The party invoking federal 6 jurisdiction bears the burden of establishing the elements of standing, and each element must be supported in the same way as any other matter in which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.” Focus v. Allegheny Cnty. Court of Common Pleas, 75 F.3d 834, 838 (3d Cir. 1996) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992)). A Rule 12(b)(1) motion may be treated as either a facial or factual challenge to the court’s subject matter jurisdiction. Davis v. Wells Fargo, 824 F.3d 333, 346 (3d Cir. 2016). A facial attack contests the sufficiency of the pleadings, whereas a factual attack contests the sufficiency of jurisdictional facts. Lincoln Ben. Life Co. v. AEI Life, LLC, 800 F.3d 99, 105 (3d Cir. 2015). When considering a facial attack, the court accepts the plaintiff’s well-pleaded factual allegations as true and draws all reasonable inferences from those allegations in the plaintiff’s favor. In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625, 633 (3d Cir. 2017). When reviewing a factual attack, the court may weigh and consider evidence outside the pleadings. Gould Elecs. Inc. v. United States, 220 F.3d 169, 176 (3d Cir. 2000). Federal Rule of Civil Procedure 12(b)(6) permits a motion to dismiss “for failure to state a claim upon which relief can be granted[.]” For a 7 complaint to survive dismissal under Rule 12(b)(6), it must contain sufficient factual matter to state a claim that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. Further, a plaintiff must “allege sufficient facts to raise a reasonable expectation that discovery will uncover proof of her claims.” Connelly v. Lane Const. Corp., 809 F.3d 780, 789 (3d Cir. 2016). In evaluating the sufficiency of a complaint, district courts must separate the factual and legal elements. Fowler v. UFMC Shadyside, 578 F.3d 203, 210-11 (3d Cir. 2009) (“Iqbal ... provides the final nail-in-the-coffin for the ‘no set of facts’ standard that applied to federal complaints before Twombly.”). The Court “must accept all of the complaint’s well-pleaded facts as true,” Fowler, 578 F.3d at 210, “and then determine whether they plausibly give rise to an entitlement for relief.” Connelly, 809 F.3d at 787 (citations omitted). Restatements of the elements of a claim, however, are legal conclusions and, therefore, not entitled to a presumption of truth. Burtch v. Milberg Factors, Inc., 662 F.3d 212, 224 (3d Cir. 2011). 8 Discussion Plaintiff has conceded through briefing that her claims for breach of contract and breach of implied contract cannot survive and are voluntarily dismissed. Accordingly, the remaining claims are for negligence 2 and breach of fiduciary duty, intrusion upon seclusion, 3 violation of the New Jersey Computer Related Offenses Act, 4 and vicarious liability. 5 Under New Jersey law, to prove negligence, the plaintiff must establish: (1) a duty of care owed to the plaintiff by the defendant; (2) that defendant breached that duty of care; and (3) that plaintiff’s injury was proximately caused by defendant’s breach. Smith v. Kroesen, 9 F. Supp. 3d 439, 442 (D.N.J. 2014) (citing Endre v. Arnold, 692 A.2d 97 (N.J. Super Ct. App. Div. 1997)). 2 Intrusion upon seclusion occurs when a plaintiff can show (i) an intentional intrusion (ii) upon the seclusion of another that is (iii) highly offensive to a reasonable person. In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 293 (3d Cir. 2016), cert. denied sub nom. C. A. F. v. Viacom Inc., 137 S. Ct. 624 (2017). 3 Under the New Jersey Computer Related Offenses Act, a person or enterprise is liable for: “The purposeful or knowing, and unauthorized altering, damaging, taking or destruction of any data, data base, [etc.]; . . . The purposeful or knowing accessing and reckless altering, damaging, destroying or obtaining of any data, data base, [etc.].” N.J. Stat. Ann. § 2A:38A-3. 4 An employer may be vicariously liable for its employee’s act within the scope of her employment: (1) if the act is of the kind she is employed to perform; (2) if it occurs substantially within the authorized time and space limits; (3) if it is actuated, at least in part, by a purpose to serve the employer; and (4) if force is intentionally used by the employee against another, the use of force is not unexpectable by the employer. Davis v. Devereux Found., 37 A.3d 469, 489-90 (N.J. 2012). 5 9 The Constitution limits the subject matter jurisdiction of federal courts to “cases” and “controversies.” See U.S. Art. III § 2. To establish Article III standing, a plaintiff must plead “an ‘injury in fact’ or an ‘invasion of a legally protected interest that is concrete and particularized,’ . . . a ‘causal connection between the injury and the conduct complained of,’ and ‘a likelihood that the injury will be redressed by a favorable decision.’” In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 633 (3d Cir. 2017) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)). See also Anjelino v. N.Y. Times Co., 200 F.3d 73, 88 (3d Cir. 2000) (“Standing is established at the pleading stage by setting forth specific facts that indicate that the party has been injured in fact or that injury is imminent, that the challenged action is causally connected to the actual or imminent injury, and that the injury may be redressed by the cause of action.”). The Supreme Court has made clear that an “injury in fact” must be “concrete,” which means “it must actually exist.” Spokeo Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). “Concrete” injuries may be “intangible” or noneconomic, but, like other cognizable injuries, they must be “actual or imminent, not conjectural or hypothetical.” Spokeo, 136 S. Ct. at 1548. See also Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (“threatened 10 injury must be certainly impending to constitute injury in fact,” and “[a]llegations of possible future injury” are not sufficient); Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (finding, in a data security breach case, “[a]llegations of ‘possible future injury’ are not sufficient to satisfy Article III”). To determine whether an intangible harm is sufficiently concrete, a court must first decide “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Spokeo, 136 S. Ct. at 1549. If so, “it is likely to be sufficient to satisfy the injury-in-fact element of standing.” Horizon, 846 F.3d at 637. Next, the court determines “whether Congress has expressed an intent to make an injury redressable;” for, “even if an injury was previously inadequate in law, Congress may elevate it to the status of [a] legally cognizable injur[y].” Id. (quoting Spokeo, 846 F.3d at 637). Even in the context of a statutory violation, however, Article III standing requires a concrete injury. Spokeo, 136 S. Ct. at 1549. Applying Spokeo, the Third Circuit denied a facial challenge in a Fair Credit Reporting Act case where plaintiff alleged that two laptop computers containing unencrypted personal information of over 800,000 health insurance customers were stolen from the defendant’s headquarters. 11 Horizon, 846 F.3d at 630. Among the stolen data was names, addresses, member identification numbers, dates of birth, “and in some instances, a Social Security Number and/or limited clinical information.” Id. The breach led to a fraudulent tax return filed in plaintiff's name and to an attempted credit card fraud. Plaintiff was also “denied retail credit because his social security number has been associated with identity theft.” Id. The Third Circuit held that the alleged injuries were sufficiently “concrete” to confer constitutional standing. First, under Anglo–American law, “unauthorized disclosures of information have long been seen as injurious.” Id. at 638. “The common law alone will sometimes protect a person’s right to prevent the dissemination of private information . . . [and] improper dissemination of information can itself constitute a cognizable injury.” Id. at 638-39. Second, by passing the FCRA, Congress clearly intended to establish “that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself— whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” Id. at 639. The Court limited it holding as follows: We are not suggesting that Horizon’s actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one’s reputation or otherwise offensive. But with the 12 passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm. It created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations—which clearly illustrates that Congress believed that the violation of FCRA causes a concrete harm to consumers. And since the “intangible harm” that FCRA seeks to remedy “has a close relationship to a harm [i.e. invasion of privacy] that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,” Spokeo, 136 S. Ct. at 1549, we have no trouble concluding that Congress properly defined an injury that “give[s] rise to a case or controversy where none existed before.” Id. (citation and internal quotation marks omitted). Horizon, 846 F.3d at 639-40. Here, Plaintiff has not pled a violation of FCRA or another statute that may be read to create standing by its mere violation, as in Horizon. As such, traditional concepts of standing guide the Court’s analysis. See Reilly, 664 F.3d at 41-43 (“Constitutional standing requires an injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical. . . . [A]llegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”). In this case, the Court finds that Plaintiff has failed to allege facts demonstrating that she has sustained a concrete injury in fact. Any allegation of an increased risk of identity theft is speculative and 13 conclusory. Plaintiff has pled no facts to indicate that her personal identifying information was even accessed by Cushman, but more importantly, Plaintiff has failed to allege actual misuse of her personal identifying information. Other courts in this District have held that plaintiffs who similarly alleged that personal information was lost or compromised, without asserting misuse, lacked standing to bring claims following data breaches. See Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013) (stating that “the Third Circuit expressly determined in Reilly that the ‘alleged time and money expenditures [of the plaintiffs] to monitor their financial information [did] not establish standing . . . because costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the allege ‘increased risk of injury’ which form[ed] the basis for’ the plaintiffs’ claims”); Hinton v. Heartland Payment Sys., Inc., No. 09-594, 2006 WL 2177036, at *1 (D.N.J. Mar. 16, 2009); Giordano v. Wachovia Sec., LLC, No. 06-476, 2006 WL 2177036, at *4-5 (D.N.J. July 31, 2006) (“The mere possibility of future harm fails to satisfy the standing requirements of the Supreme Court and the Third Circuit Court of Appeals.”). See also Storm v. Paytime, Inc., 90 F. Supp. 3d 359 (M.D. Pa. 2015) ([T]he Third Circuit requires its district 14 courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending.”); Allison v. Aetna, Inc., Civ. No. 09-2560, 2010 WL 3719243, at *4-5 (E.D. Pa. Mar. 9, 2010) (finding the “mere possibility of increased risk of identity theft” insufficient to confer standing) (emphasis in original). Conclusion For the reasons stated here and those discussed on the record during oral argument, Defendant’s motion to dismiss for lack of standing will be granted. An appropriate Order will issue. Dated: June 5, 2018 /s/ Joseph H. Rodriguez Hon. Joseph H. Rodriguez U.S.D.J. 15

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?